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Introduction  We  propose  a method  of  program  construction  that  combines 


some  of  the  contributions  In  structured  programming,  program  verification 
and  program  synthesis.  The  new  method  has  the  advantage  of  start-to-finish 
continuity  within  a well -understood  formal  system. 

The  structured  programming  approach,  developed  In  response  to  a 
concern  over  the  reliability  of  software,  provides  a style  that  helps 
clarify  the  meanings  of  programs.  This  style  advocates  top-down  refinement 
In  both  the  control  structure  of  the  program,  and  In  the  structure  of  the 
data  objects.  Both  are  reflected  In  modern  programming  languages  although 
perhaps  not  in  as  elegant  and  general  form  as  we  might  wish.  One  specific 
disadvantage  Is  that  the  programming  language  forces  certain  Irrelevant 
engineering  decisions  (data  encodings,  fully  ordered  sequencing  where  a 
partial  ordering  Is  sufficient,  etc.)  during  the  problem-solving  phase 
where  It  would  be  advantageous  to  deal  only  with  abstractions.  Data  objects 
need  only  be  understood  in  terms  of  their  properties,  and  In  terms  of  the  ‘ 
relations  between  them  and  of  the  functions  that  act  upon  them.  There  is 
an  extensive  literature  on  this  subject;  for  example  see  Software  Specifi- 
cation and  Design[Yeh  77], 

We  also  need  to  state  precisely  the  specification  of  a program  and 

then  to  establish  formally  that  the  program  carries  out  t'he  task  specified. 

Program  verification  starts  with  the  program  and  builds  a specification 

describing  it.  Program  synthesis  starts  with  a specification  and  builds  a 

program  to  carry  it  out.  In  both, the  predicate  calculus  provides  the 
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language  in  which  to  express  the  specification  and  the  formal  theory  in 
which  to  carry  out  the  proof  of  equivalence,  but  does  not,  in  general, 
determine  the  construction  of  the  program  itself. 


The  method  proposed  here  uses  predicate  logic  for  programming,  but  not 
as  the  executable  form  of  the  program  (as  contrasted  to  Prolog[Warren  76] 
where  It  Is  also  executable).  Process  and  data  are  describable  but  at  a 
level  of  abstraction  that  Is  free  from  Implementation  Issues.  In  particular 
the  programming  language,  compiler  and  supporting  hardware  can  be  Ignored. 
Once  the  program  Is  correctly  prepared  In  logic,  the  transition  to  an  execut 
able  program  Is  done  by  equivalence-preserving  transformations  In  the  first- 
order  logic,  or  meta-logic. 

This  paper  ties  together  several  other  works  by  the  author[S1ckel  76, 
Sickel  and  Clark  76,  Sickel  77]. 


Overview  Figure  1 shows  the  principal  components  of  this  approach,  and 
their  relative  sequencing.  The  four  forms  of  programs  and  the  three  mappings 
between  them  are  defined  In  the  following  sections. 


ASSERTIONAL  LOGIC  PROGRAM 


V 


mapping  # 1 

Equivalence  preserving  transformations  In  logic 


COMPUTATIONAL  LOGIC  PROGRAM 


V 


mapping  # 2 

Theorem  p rover  analysis 


COMPUTATION  PATHS 


V 


mapping  # 3 

Semantics  preserving  translation 


CORRECT  EXECUTABLE  PROGRAM 


Figure  1.  Program  forms  and  their  relationships. 


An  assertlonaT  logic  program  is  any  set  of  well-formed  formulas 
of  first-order  predicate  calculus  that  define  a function.  All  data  types 
and  other  functions  used  in  this  definition  must  either  be  primitives  or 
have  been  previously  logically  specified.  Example; 

Given  the  predicate  Member(v.S),  meaning  v ( S,  define  the 
predicate  Subset(3,  T),  meaning  S c t. 

Subset(S.T)  *»  (Vv)[Member(v,S)  -►  Member(v,T)] 

A computational  logic  program  is  an  assertional  logic  program  in  which 

1)  all  variables  are  implicitly  universally  quantified  . and 

2)  all  formulas  have  the  form  A,  a A»  a...a  A_  B where  n > 0,  the  A. 's 
and  B are  positive  literals,  and  B is  optional,  and 

3)  the  A^'s  are  implicitly  simpler  subgoals  than  B.  The  particular  intent  here 
is  to  have  the  derivation  of  B subgoal  driven  and  to  avoid  quantifier  driven 
definitions.  For  example,  the  assertion'al  logic  program  given  above  to 
determine  the  subset  relation  is  not  computational.  The  implicit  computation 

is  one  of  trying  all  elements  of  the  universe  to  see  that  if  they  are  in  S,  they 
are  also  in  T.  This  is  impossible  for  infinite  domains,  and  undesirable  in 
all  cases.  A computational  form  of  Subset  is: 

Subset  (sS) 

Member(v,T)  a Subset(S,T)  Subset(v.S.T) 
where  v.S  means  {v}  U S with  the  proviso  that  S c v.S  (strict  Inclusion). 

A computation  path  is  a closed  form  expression  that  describes  all 
proofs  of  a theorem.  Green  pointed  out[69]  that  theorem  proving  can  be 
used  to  compute  answers.  For  example,  if  factorial (n)  ■ x is  represented 
as  the  predicate  Fact(n,x)  and  the  logic  definition  is; 

Fact(0,l) 

Fact{n,x)  Fact(n+1,  (n+l)*x)  t 

tThis  is,  of  course,  assuming  + and  * as  evaluable  primitives  wh^ch  are 
assumed  to  be  correct. 


then  we  can  refute 

Fact(5,y) 

and  in  the  process  compute  a value  for  y:  factorial (5)  = 120.  Therefore, 
the  computation  paths  also  describe  the  sequence  of  operations  constructing 
the  output.  In  the  case  of  Subset  the  form  of  the  computation  path  Is 
d(cb)*ca(e  where  a-e  are  shown  In  Figure  2.  Each  letter  can  represent  a 
resolution  between  literals  connected  by  the  edge  with  that  label.  Then 
any  refutations  of  Subset(A,B)  can  be  described  by  e or  d(cb)*'ca,  n » 0. 

To  better  understand  this  diagram  see  S1ckel[76].  For  a more  program 
oriented  description  of  this  computation,  see  the  next  section. 


Member (v,T) 
/ 

C / 

refute  Member (v,T) 


Figure  2 

A correct,  executable  program  Is  defined  here  to 

(1)  be  expressed  In  a contemporary  programming  language,  the  semantics  of 
which  are  formally  defined,  and 

(2)  be  guaranteed  to  terminate,  and 

(3)  have  associated  with  It  an  assertlonal  specification  which  the  program 
Is  guaranteed  to  satisfy. 
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For  the  subset  example,  the  associated  assertlonal  specification  Is 
Subset(S,T)  •*  (Vu)[Member(u,S)  Member(u.T)] 
and  the  program  resembles  the  following 

logical  procedure  Subset(S,T) 
e If  S = (|)  then  TRUE 

else  begin 

d Remove(v.S) 

c while  Member(v,T)  a s j*'!'  do 

b Remove(v,S) 

c,a  If  Member(v,T)  a s = <ti  then  TRUE 

el?e  FALSE 


The  letters  along  the  left-hand  margin  correspond  to  letters  appearing  In 
the  computation  path  expression. 

Mapping  # 1 . The  mapping  from  assertlonal  to  computational  form  Is 
within  the  predicate  calculus  and  relies  on  Its  theorems  and  rules  of  Inference 
(distributive,  commutative,  associative  laws,  modus  ponens,  etc.)  It  Is  described 
In  detail  by  Sickel  & Clark  [77].  This  process  Is  partly  automatable. 

Mapping  # 2.  Computational  logic  programs  can  be  analyzed  using 
automatic  theorem  proving  techniques  to  yield  the  computation  paths.  If  you 
wish  to  compute  a function  or  establish  a relation,  negate  the  statement  you 
wish  to  accomplish  and  use  a theorem  prover  on  the  axioms  to  refute  your 
negated  goal.  For  example,  refuting  Fact(5,y)  causes  y » 120  to  be  computed. 
Refuting  Subset({a,b,c},{c,d,a,b,e>)  establishes  the  truth  of  Its  positive  form. 

If  we  negate  the  most  general  form  of  the  question,  e.g.  FacT(n,x)  or  Subset(A,6), 
then  we  can  derive  a schema  for  all  proofs  (and  therefore  computations)  of 
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these  relations.  This  schema  Is  the  result  of  a mapping  from  the  axioms  and 
negated  theorem  onto  a grammar  whose  language  Is  equivalent  to  the  set  of  all 
proofs  of  the  theorem  from  the  given  axioms.  This  mapping  can  be  made  automati- 
cally for  all  provable  theorems  In  predicate  logic  [Sickel  77a].  A closed 
form  for  the  language  gives  a closed  form  for  the  proof  set. 

Mapping  # 3.  Going  from  the  computational  path  expression  to  the  correct, 
executable  program  Involves  two  major  steps. 

1.  Represent  the  data  In  the  target  language.  Prove  that  It  satisfies 
the  abstract  definitions  of  the  data  types. 

2.  Construct  the  control  part  of  the  process  by  modeling  the  computation 
path.  The  components  of  the  computation  path  have  substitutions  associated 
with  them  [Sickel  77a].  The  substitutions  can  be  used  to  generate 
Invariants  and  to  suggest  constructs  In  the  programming  language  whose 
semantics  properly  Interface  the  Invariants.  The  semantics  of  the  target 
language  must  accurately  reflect  the  actions  of  the  compiler  and  Include 
local  hardware  peculiarities. 

To  some  extent  these  two  steps  are  automatable[S1ckel  77b]. 

Conclusions  We  have  proposed  a method  of  program  construction.  Programs  are 
expressed  In  logic.  The  form  of  the  programs  encourages  thinking  at  a high, 
abstract  level.  The  resulting  programs  are  portable  in  the  first  three  forms. 

In  that  they  are  aimed  at  no  particular  target  system.  They  can  be  transformed 
within  the  deductive  system  of  logic  to  achieve  efficiency,  and  they  can  be 
rewritten  In  a programming  language  for  execution.  Some  of  the  steps  can  be 
automated.  The  resulting  programs  are  more  easily  understood  and  their 
correctness  Is  more  credible. 
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